I haven’t been exactly active on this blog ever since I got a full time job, really. My full time job recently became open source though, so if anyone is interested in what I’m doing, they can follow me on GitHub.

We’re working there on a cross platform runtime and a native compiler for .NET Core. The project is still in the very early stages, but you can already use it to build a C# Hello World command line program and compile it into a native console app for Windows, OSX, or Linux. The console app you build is a fully native program with no .NET dependencies (the only runtime you need is the C runtime!). It’s lean and launches fast. It’s the thing C# developers have been dreaming about for years.

Quick post. I was shopping for a new home server and was eyeing the new Intel Bay Trail CPUs. The only thing that deterred me from buying it was Intel ARK insisting that Celeron J1900 doesn’t support the Extended Page Table (aka Nested Page Table) feature.

From the past I know that ARK is not exactly the best source of knowledge on EPT (go figure) so I kept searching, but I couldn’t find a confirmation. I found a mention of EPT in someone’s /proc/cpuinfo dump, so I bit the bullet and bought it.

This weekend I was working on a small Windows Phone project to scratch one of my itches. I wanted to create an app that would connect to a ELM327 Bluetooth adapter in my car whenever the adapter is within my phone’s reach and do something with the adapter in the background. The Bluetooth adapter exposes itself as a simple RFCOMM COM port.

I thought I should write down the steps to accomplish this (mostly for my own future reference). I chose to do this with a C# WinRT app. It might work with Silverlight, but I’m not sure about that. You need to target Windows Phone 8.1 since most of these APIs are new to Phone 8.1.

Manifest

First things first – the Package.appxmanifest changes. The app needs to declare the RFCOMM serial port capability and the background task:

Note I said paired – if the device is not paired to the phone yet, it will not show up even if it’s within reach. It might be a good idea to show the user a button that launches the Bluetooth settings system dialog to let them pair new devices. Also note another implication of this – a paired device will show up even if it’s not within reach. This is usually a good thing.

The service object has a few interesting properties that can be shown in the UI to determine what device does it represent. Intellisense is your friend.

Registering a background task

Once we have found a device service to out liking (and maybe let the user pick it in the UI), we can register a background task to fire every time the phone sees the device service being advertised.

Again, the TaskEntryPoint is the full name of the WinRT class implementing the background task that we haven’t implemented yet.

The background task

Background tasks have to be hosted in a separate WinMD file. It can’t be in your main executable. Also, you need to create a project reference from your main executable to the background task WinMD even though you technically don’t need that for the app to compile. This part is really important. If you forget it, your app will just force close without any diagnostic information when the task fires. Don’t forget to do this.

The code in the background task is really simple. The OS already opened a socket for us, so all we need to do is read and write into it:

If you have Windows 8.1, try this: hit the Windows key, start typing “not” until you see autocomplete for Notepad and hit Enter. Now type something in Notepad and repeat the same thing. Notice that when you hit Enter to launch Notepad again, it will reactivate the previous running instance of Notepad. If you have multiple instances of Notepad, it will reactivate an arbitrary instance. I don’t know who the hell thought this is a good idea. Same thing essentially happens with any desktop app (including the Command Prompt which is another thing that infuriates me).

On Windows 8 there used to be this undocumented registry setting (DesktopAppsAlwaysLaunchNewInstance) that no longer works for search results in 8.1. So we have a problem to fix. I won’t go much into details, but if you want this fixed, you can do this:

Install Debugging tools for Windows (free download from MSDN)

Create a directory on your computer to store symbols in (I use c:\localsymbols)

I got recently forced into installing Office 2013 on my computer at work. I was not a big fan of the ALL CAPS menus to begin with (and I’m really happy Visual Studio folks have a regkey to turn that Office plague off in their product), but it really surprised me just how OCD I became over OFFICE. I actually tried avoiding opening Outlook just so I don’t have to deal with EVERYTHING YELLING AT ME ALL THE TIME. The time was right to install Office 2013 at home and put on my reverse engineering hat.

Can I make it lower case again?

I did a cursory search for some of the ribbon text strings in my Office installation and it didn’t take long to find the UTF-16 text strings in msointl.dll. Once I had that, I fired up Outlook under WinDBG and went looking for the spot where msointl.dll gets loaded. I set up a breakpoint on load by typing sxe ld msointl.dll, fired up the process and… breakpoint was not hit.

Once I had the string in the memory, I typed s -su 0x0 L?0xFFFFFFFF "Send / Receive" to find the exact address where the ribbon text was loaded. With an address in hand, it was easy to set up a memory access breakpoint (ba r 1 address) and start debugging.

I will spare you the details of how the text string gets copied and inspected a few times before it’s displayed (and how I had to set up new breakpoints to track the copies as well). It didn’t take long though to find the needle in the haystack – place where the breakpoint was hit with LCMapStringEx on the stack. It turns out Office calls this API with a hardcoded LCMAP_UPPERCASE constant. Locate the push instruction in memory, modify 02 to 00, hit F5. Blam, menu looks as pretty as in Office 2010.

Running Office under WinDBG is not very practical, so I decided I will write a small app for this.

Introducing unOFFIC

I could opt to just patch mso.dll, but that’s hardly practical in the world of software updates and digital signatures. Instead I decided to write a memory patch. This would be really trivial had the code to patch been loaded at the time of process startup. Unfortunately, mso.dll is delay loaded. Hence, the usual trick where you CreateProcess a suspended process, patch memory and resume main thread won’t work. I had to write a small debugger. It is the same amount of fun as it sounds :).

The debugging APIs made things really simple, since they give you a notification when a DLL gets loaded and that’s exactly when we should go and patch that bit in mso.dll.

The last problem was to hook it up so that Office apps always launch under my debugger. I came up with hardly an elegant solution, but works for me – Image File Execution Options. It might break some programs that try to run Office apps programmatically and do interprocess communication afterwards (or wait for them to exit), but that’s a small price to pay for a consistent user experience (the Word previewer in Outlook is affected, for example).

Once I had a way to hook it up at launch, I just decided to go the last mile and write an MSI installer with a complimentary microsite at unoffic.migeel.sk. The link to get the sources is included as well. Enjoy!

A new app hit the Windows Phone marketplace today that claims to keep your device safe from malware. I immediately became interested in it because:

I don’t know of any malware for the Windows Phone.

Even if there was malware that misuses some kind of hole in the Windows Phone security model, this app wouldn’t be able to catch it because of phone’s application model (unless the app itself uses some kind of security hole).

After installing it, it claimed it offers real time protection that would suggest it’s capable of running in the background.

I would consider it a joke app, if it didn’t come from a well-known antivirus company. (Spoiler: It actually is a joke app, but the joke is on the antivirus company.)

A look inside

To satisfy my curiosity, I downloaded the XAP file of the app with Marketplace Browser and Downloader for Windows Phone 7 and opened it with Reflector. Surprise, surprise, this app was ported from Android (or at least that’s what *Droid namespace names suggest). Funny how the game has changed and instead of porting antivirus software from a Microsoft operating system to Linux, people started doing it the other way around.

The scanning UI is concentrated in the DroidSecurityPOC.Scan class and gets invoked in the OnNavigatedTo method. The OnNavigatedTo method is actually the first nugget:

protectedoverridevoid OnNavigatedTo(NavigationEventArgs e){// uninteresting code removed// do the actual scanning, synchronously (we are scared of threads...)(Application.Currentas App).malwareCollection.ScanContainingMedia(this.library);// simulate work in the UI even though the scanning is already completed at this point// people will love thisthis.StartScan();}

The StartScan method looks at the number of files to scan, divides 5 seconds with that number and starts a timer to update the “currently scanned” file name in the UI. Scanning will always take 5+ seconds to complete (closer to 5 seconds if you have few files to scan) and most of the time will be spent waiting for the next timer event to fire. Because all the “scanning” already happened in the ScanContainingMedia method, long time before the UI was first updated.

The scanning algorithm

The DroidSecurityPOC.Data.MalwareCollection class is where the hilarity starts. The ScanContainingMedia method is where all the “scanning” happens. It’s split up in 2 parts: scanning your picture library and scanning your music library. The method doesn’t look at anything else (but that’s not much of a surprise given a marketplace application really cannot access anything else).

At this point, I was still giving the app a chance. Maybe it’s scanning for damaged files that can trigger known exploits in music players or picture viewers. All my hopes disappeared when I looked at the code:

privatevoid ScanContainingMedia(PictureCollection mediaFileCollectiont){// uninteresting code removed// malwareGroup contains a list of known "malware"// for each picture in the libraryforeach(Picture picture in mediaFileCollectiont){// for each known malware (because HashSet is overrated)foreach(string str in malwareGroup.MalwareGroupList){// compare malware name with current file name (!!!!!!!)// NOTE: We call ToLower() on each string to allocate a new string// and never cache the result. This way the garbage collector will// be busy picking up redundant trash and we can have some fun time// with his daughter.// Also, String.Equals(s1, s2, StringComparison.OrdinalIgnoreCase)// is for pussies.if(str.ToLower()== picture.Name.ToLower()){// uninteresting code - add malware to a collection of "effected malware"}}}}

Basically, this code couldn’t be less bothered about the file contents. It only looks at the file name and if it matches the predicate, boom, it’s jailed. No questions asked. Do not pass Go. Do not collect $200.
The list of “dangerous file names” is downloaded from a web service and Rafael Rivera can show you the current “definition file”.

The code also contains an unused method that hints at a future update that will actually look at the file contents, but the method makes me really scared:

publicbool ScanEicar(Picture picture){
Stream image = picture.GetImage();
image.Position= 0L;while((image.Position+ 0x44L)<= image.Length){// the garbage collector still doesn't seem to be busy enough, so// let's allocate an array in a tight loopbyte[] buffer =newbyte[70];
image.Read(buffer, 0, 0x44);// BLAM! Potentially triple the amount of allocated memory by allocating// a string with the contents of the buffer. Note each character// in a string takes up 2 bytes.// Except Convert.ToString will actually return string "System.Byte[]"// for each and every call. What the author probably wanted// is Encoding.ASCII.GetString().if(Convert.ToString(buffer).Contains(@"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")){
image.Close();returntrue;}// Scanning fail: the call to image.Read() already moved the position// by 0x44 bytes. What the author probably wanted to do is// image.Position -= 0x43, but if he did that, the while loop would// run for each byte in the file, allocating about 210 MB from the heap// for a 1 MB file, so the algorithm is probably better off this way.
image.Position+= 1L;}
image.Close();returnfalse;}

Everything (including the release date) hints at this being some kind of a summer intern project at AVG (if it’s not, it’s very disturbing). But AVG, c’mon. Interns do all kinds of wonky stuff. You really don’t need to ship all of it…

When optimizing a very hot path in my code, I sometimes find it useful to see what code the compiler is generating for me. Many times I can spot things that can be easily fixed by rearranging code or adding some typecasts.

But getting my hands on the CLR JIT-generated code disassembly on the Windows Phone was not easy. If you think it’s as easy as breaking into the Visual Studio debugger and pressing Ctrl-Alt-D, you’ll be disappointed:

No disassembly available.

Luckily for us, at least the Memory window in Visual Studio still works. Getting our hands on the JITted code will be hard, but not impossible.

Now add a call to this method in PhoneApplicationPage_Loaded and set up a breakpoint after the method call to make sure it’s JITted when the breakpoint is hit. Deploy your project to the emulator and break into the debugger. Now let’s find the method in memory.

Because we can’t use unsafe code on Windows Phone, and the System.Runtime.InteropServices.Marshal class is off limits, we have to turn our hopes to reflection. Luckily for us, the System.Reflection.MethodInfo class contains a field named MethodHandle whose Value points to some kind of internal CLR runtime structure (MethodDesc?). Even though it’s undocumented, we can probably recognize pointers in it and try our luck disassembling memory they point to.

Open the Immediate window in Visual Studio and type:

?typeof(MainPage).GetMethod("Foo").MethodHandle.Value

Executing the above statement in my debugging session gave me 0x0658c910. Looking at that offset in the memory window gave me this:

0x0658C910 e8 a0 b6 03 b8 c5 58 06 0e 00 00 06 01 00 86 00

Following the first pointer to 0x03b6a0e8 (remember, little-endian) will give you this:

See the string ef be ad de? That has to be our code! Dump the contents of the memory window to a file and save it.

Now fire up your favorite ARM disassembler and load the dumped bytes at offset 0x03B6A0E8. Does it look like trash? It is trash! That’s because the code you are actually looking at is x86, not ARM. How is that possible? The JIT compiler in the Windows Phone emulator produces x86 code. It actually makes sense, because running native code is faster than emulating ARM code. This is probably the reason why the Phone emulator needs hardware virtualization and can’t run under Hyper-V. Most of it runs as i386 code! To see the actual ARM code of the method, you have to dump it from your physical device.

But because we already have the x86 code dumped, let’s have a look at it:

The method uses a rather big add eax, 0 instruction as a nop. A nop with side effects.

First point can partially be explained by the fact that I was running an unoptimized version (the Debug project configuration), but is closely related to the second, third and fourth point: what we are looking at is code generated by an ARM code generator that was hacked to generate x86 code! The last instruction in the listing is a dead giveaway.

You’ll probably notice the code is still not very optimal. As it turns out, the JIT code generator heavily favors code generation speed against code quality. To get most of your CPU cycles, you have to be very careful about how you write your code.

I hope this short post will be useful to you when doing your own Windows Phone .NET code generation investigations. I plan to follow up with some notes on what optimizations you can expect from the Windows Phone CLR code generator that I gathered while optimizing my GameBoy emulator to run on my phone.

Two more useful thing to note: when dumping the method to a file, look at the bytes preceding the method body. Every method has some kind of a header that has (apart from other stuff) 2 pointers in it: pointer to the end of the method body and a pointer to the end of method body including the literal pool. It seems like the header is different depending on whether you deploy a retail or debug configuration.

Many times it’s easier to just dump the whole JIT code heap instead of doing it method by method. After you find the address of your method, just scroll up in the Memory window until you hit uncommited memory region (filled with question marks). Then dump everything starting from there to the end of the heap (a big block of zeroes or question marks).

When it comes to choosing a disassembler, you can try GNU objdump, but if you want something painless, IDA Pro is probably your only option. Get the demo and use this workaround to open raw binaries in it.

I recently stumbled upon a very interesting project – a CIL (.Net assembler) backend and frontend for GCC.

Suppose you have source code in one of the languages supported by GCC (C, C++, Ada, Fortran,…) and you want to use the code from managed code (say, a C# application). A CIL backend would allow you to do just that – compile and link the C code into a .Net assembly so you can link it with C# code.

Now suppose you have a managed .Net assembly and want to compile it to native code for one of the architectures supported by GCC (ARM, amd64, x86, MIPS,… on Linux, Windows, Darwin,…). A GCC frontend allows you to do just that. Take .Net CIL code and compile it to native code.

GCC-CLI

There is a branch in GCC allowing you to do just that. The branch is called GCC-CLI. Even though it’s still very experimental, it already allows you to do a few interesting things. For example: compile C code into managed code using the CIL backend and then use the CIL frontend to compile the managed code to native code.

The backend is quite useful already. I was able to compile my pet C compiler into a fully managed EXE. Not even the Managed C++ compiler from Microsoft can do that! (Managed C++ creates mixed-mode assemblies, which are not fully managed and even if you try to get past this limitation with compiler switches, you get burned by the CRT library.)

The frontend only supports a limited subset of CIL and lacks a runtime library that would do garbage collection and other services (like GCC does with Java – libgcj). So it’s not that useful, yet. But the potential is huge!

A Windows binary specially for the readers of my blog :)

You can try it out yourself. The build instructions are here. You can build it with MSYS and MingW on Windows, but the build process is quite painful. If you don’t want to build it yourself, you can download the Windows binary of GCC with 32bit CIL backend here (7-zip archive – I hope you know what to do with that). Download the archive even if you want to build it yourself. There is a text document with a bunch of notes on how I built it.

Unpack the archive somewhere and run bin\_BUILDTEST.cmd to build a hello world C application. To run the generated _test.exe, you’ll need the assemblies from lib\ to be present in GAC, or in the same folder as the EXE (just copy them over to bin\ and be done with it). Otherwise it will crash. Also, .Net framework is necessary (obviously).

Only C is supported in my build. I was not successful with C++ (it looks like the backend can’t handle exceptions) and didn’t try anything else.

Topics:Uncategorized | Comments Off on .Net back- and frontend for GCC

Okay, quick post because this is too awesome to not to write about it. Rafael Rivera from withinwindows.com and Long Zheng from istartedsomething.com have put together a driver for Windows Location API in Windows 7. The driver provides geolocation information for location-aware Windows applications using Google’s Location Services. All it needs is your WiFi turned on (or your IP address, but that’s less precise) and internet connection.

I am really impressed by the accuracy of thins thing (2 locations tested so far and the accuracy was ~30 meters). The best thing: it’s free. Go grab it from geosenseforwindows.com.